bpainter
Visitor.
564 views

GW monitor 14.2.3 remove access to Web Console

Hello -

GW 14.2.3 on SLES11SP4/OES2015.1

How do I remove access to the web console for gwmonitor? I do not need access from the outside to gw mon and was curious what config file(s) to edit to remove this access - if that is possible. I still need the agent console but not the web console.

Thanks,
Brad
Labels (1)
0 Likes
6 Replies
Knowledge Partner
Knowledge Partner

Re: GW monitor 14.2.3 remove access to Web Console

In article <BPainter.8yeppz@no-mx.forums.microfocus.com>, BPainter wrote:
> How do I remove access to the web console for gwmonitor? I do not need
> access from the outside to gw mon and was curious what config file(s) to
> edit to remove this access - if that is possible. I still need the agent
> console but not the web console.


To make sure we are on the same page
you want to not have the GW Monitor web page running/accessible at all,
but still want the agents pages such as for POA, MTA, GWIA to be
accessible?

If you don't want the only GUI for GW Monitor running, do you really need
GW Monitor itself running? If you don't needed it, then we can just stop
it from starting in the first place.

If you still want the GW Monitor accessible on the inside but not the
internet, then it is a case of proper firewalling, i.e. Where you have at
your perimeter that only allows specified ports in, blocking the rest such
as port 8200.

If you still want GW Monitor to alert in the background, but have no GUI,
then what might work is to comment out the <HTTP> section of your
monitor.xml Note that I have never tried that, and don't have any of my
GW Monitor instances visible to the public interenet, only if I am on the
local network in some fashion (such as in person or VPNed in)


Andy of
http://KonecnyConsulting.ca/gw in Toronto
Knowledge Partner
https://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
bpainter
Visitor.

Re: GW monitor 14.2.3 remove access to Web Console

I agree that the firewall option is the best route but that would require contacting those in charge of that - for various reasons I would like to avoid that. Since there are two ways to access GW Monitor - one being the Agent Console and two being the Monitor Web Console. I would like to remove access to the Monitor Web Console (external) but keep access to the Monitor Agent Console (internal). I suppose I could use the SLES FW but currently that is disabled. I thought there would be a config file entry that I could just comment out but maybe not. Thanks for the reply.

bp
0 Likes
Knowledge Partner
Knowledge Partner

Re: GW monitor 14.2.3 remove access to Web Console

In article <BPainter.8ym4un@no-mx.forums.microfocus.com>, BPainter
wrote:
> I thought there would be a
> config file entry that I could just comment out but maybe not.


Or, if you don't need apache for anything, just turn apache off

I hadn't been previously aware that we had two different Web type
consoles, had only used the {serverIP}:8200 route.
Found the {serverIP}/gwmon/gwmonitor that I believe you are discussing
and that appears to be dependant on apache&tomcat and is broken on the
deployment I am looking at currently.

I see gwmon files that appear to be related in
/etc/opt/novell/httpd/conf.d
/var/opt/novell/tomcat6/webapps
as per
https://www.novell.com/documentation/groupwise2014r2/gw2014_guide_insta
ll/data/install_mon_plan.html
and I believe that just moving those files out should do the trick for
you if shutting down apache isn't an option.

Now I am rather bothered that just turning it off is not an option,
such that this really needs to be an option. As such I've written up
the following Idea that I hope you vote for.
https://ideas.microfocus.com/MFI/mf-gw/Idea/Detail/14870


Andy of
http://KonecnyConsulting.ca/gw in Toronto
Knowledge Partner
https://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
Highlighted
bpainter
Visitor.

Re: GW monitor 14.2.3 remove access to Web Console

Yes the {serverIP}/gwmon/gwmonitor is the option I am referring too. I saw those gwmon files in /etc and /var as well but wasn't sure if there was an easier way so that's why I asked. Thanks for creating the Idea in the portal - I was going to do the same.
0 Likes
Knowledge Partner
Knowledge Partner

Re: GW monitor 14.2.3 remove access to Web Console

In article <BPainter.8ypv40@no-mx.forums.microfocus.com>, BPainter wrote:
> Yes the {serverIP}/gwmon/gwmonitor is the option I am referring too. I
> saw those gwmon files in /etc and /var as well but wasn't sure if there
> was an easier way so that's why I asked. Thanks for creating the Idea
> in the portal - I was going to do the same.


I wonder how many installs of Monitor out there are left exposed to the
outside that nobody knows about. A security issue one would think. Good
advice is to not install Monitor on a WebAccess or otherwise http/https
accessible box from the outside, at least until this is fixed.
Just editing the index.html under /var might be enough for a work around.
My friend who is big on Monitor suggests that it is the only part of the
Monitor application (vs the agent), so un-installing that may be the
trick.

I see your vote and comment, now to see if anyone else agrees and gives
that idea some love with a vote.


Andy of
http://KonecnyConsulting.ca/gw in Toronto
Knowledge Partner
https://forums.novell.com/member.php/75037-konecnya
If you find a post helpful and are logged in the Web interface, please
show your appreciation by clicking on the star below. Thanks!

___
Andy of Konecny Consulting in Toronto
Knowledge Partner Profile
If you find a post helpful, click the Like button below. Thanks!
0 Likes
ABach Contributor.
Contributor.

Re: GW monitor 14.2.3 remove access to Web Console

GroupWise Monitor originally came as an Agent (port 8200) and Application (integrates into web server). Recent versions of GroupWise no longer include the Application AFAIK, but if you've upgraded GroupWise over the years, it may have been left in place on your web server from an earlier install.

Here's docs on Monitor Agent/Application from GW8 for example:
https://www.novell.com/documentation/gw8/gw8_install/data/bpcm0jj.html

This page also mentions the "Monitor Security Requirements" similar to your issue and suggest using a proxy server to control access from the outside.

I think that just removing the un-needed pieces is probably your only solution given that any install/uninstall routine for the Monitor Application are no longer available.

=====>Andreas
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.